From 99a542ea8bea4376e819cdbc7d811f6ce84efb9c Mon Sep 17 00:00:00 2001 From: Yi-Hung Wei Date: Mon, 7 Jan 2019 15:48:19 -0800 Subject: [PATCH] selinux: Add missing permissions for ovs-kmod-ctl Starting from OVS 2.10, ovs-vswitchd may fail to run after system reboot since it fails to load ovs kernel module. It is because the conntrack zone limit feature introduced in OVS 2.10 now depends on nf_conntrack_ipv4/6 kernel module, and the SELinux prevents it to load the two kernel modules. Example log of the AVC violations: type=AVC msg=audit(1546903594.735:29): avc: denied { execute_no_trans } for pid=820 comm="modprobe" path="/usr/bin/bash" dev="dm-0" ino=50337111 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1546903594.791:30): avc: denied { module_request } for pid=819 comm="modprobe" kmod="nf_conntrack-2" scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system This patch adds the missing permissions for modprobe command in ovs-kmod-ctl so that the aforementioned issue is resolved. VMWare-BZ: #2257534 Acked-by: Aaron Conole Signed-off-by: Yi-Hung Wei Signed-off-by: Ben Pfaff --- selinux/openvswitch-custom.te.in | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in index 4a16e5eefdf..26495828a65 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in @@ -16,6 +16,7 @@ require { type init_t; type init_var_run_t; type insmod_exec_t; + type kernel_t; type hostname_exec_t; type modules_conf_t; type modules_object_t; @@ -32,7 +33,6 @@ require { @begin_dpdk@ type hugetlbfs_t; - type kernel_t; type svirt_t; type svirt_image_t; type svirt_tmpfs_t; @@ -51,7 +51,7 @@ require { class netlink_audit_socket { create nlmsg_relay audit_write read write }; class netlink_socket { setopt getopt create connect getattr write read }; class sock_file { write }; - class system module_load; + class system { module_load module_request }; class process { sigchld signull transition noatsecure siginh rlimitinh }; class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; @@ -110,6 +110,7 @@ allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; +allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; allow openvswitch_load_module_t modules_conf_t:file { getattr open read }; allow openvswitch_load_module_t modules_object_t:file { map getattr open read }; @@ -120,7 +121,7 @@ allow openvswitch_load_module_t plymouth_exec_t:file { getattr read open execute allow openvswitch_load_module_t proc_t:file { getattr open read }; allow openvswitch_load_module_t self:system module_load; allow openvswitch_load_module_t self:process { siginh noatsecure rlimitinh siginh }; -allow openvswitch_load_module_t shell_exec_t:file { map execute read open getattr }; +allow openvswitch_load_module_t shell_exec_t:file { map execute execute_no_trans read open getattr }; allow openvswitch_load_module_t sssd_public_t:dir { getattr open read search }; allow openvswitch_load_module_t sssd_public_t:file { getattr map open read }; allow openvswitch_load_module_t sssd_t:unix_stream_socket connectto;